2022-03-15 19:24:38 +13:00
# Unix SMB/CIFS implementation.
# Copyright (C) Catalyst.NET Ltd 2022
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import string
import sys
import time
2023-04-05 15:20:57 +12:00
from hashlib import blake2b
2022-03-15 19:24:38 +13:00
import ldb
from samba import param
from samba . auth import system_session
from samba . credentials import Credentials
from samba . dcerpc import security
from samba . ndr import ndr_unpack
from samba . samdb import SamDB
from samba . tests import (
DynamicTestCase ,
TestCase ,
delete_force ,
env_get_var_value ,
sys . path . insert ( 0 , ' bin/python ' )
os . environ [ ' PYTHONUNBUFFERED ' ] = ' 1 '
2023-04-05 16:05:59 +12:00
late_ERR_CONSTRAINT_VIOLATION = b " a hack to allow Windows to sometimes fail late "
2023-04-05 17:20:46 +12:00
class SidStringBase ( TestCase ) :
2022-03-15 19:24:38 +13:00
def setUpDynamicTestCases ( cls ) :
2023-04-13 11:47:19 +12:00
if not hasattr ( cls , ' skip_local ' ) :
cls . skip_local = env_get_var_value ( ' SAMBA_SID_STRINGS_SKIP_LOCAL ' ,
allow_missing = True )
2022-03-15 19:24:38 +13:00
if env_get_var_value ( ' CHECK_ALL_COMBINATIONS ' ,
allow_missing = True ) :
for x in string . ascii_uppercase :
for y in string . ascii_uppercase :
code = x + y
if code not in cls . cases :
cls . cases [ code ] = None
for code , expected_sid in cls . cases . items ( ) :
name = code
cls . generate_dynamic_test ( ' test_sid_string ' , name ,
code , expected_sid )
2023-04-13 11:47:19 +12:00
if not cls . skip_local :
cls . generate_dynamic_test ( ' test_sid_string_internal ' , name ,
code , expected_sid )
2022-03-15 19:24:38 +13:00
def setUpClass ( cls ) :
super ( ) . setUpClass ( )
server = os . environ [ ' DC_SERVER ' ]
host = f ' ldap:// { server } '
lp = param . LoadParm ( )
lp . load ( os . environ [ ' SMB_CONF_PATH ' ] )
creds = Credentials ( )
creds . guess ( lp )
creds . set_username ( env_get_var_value ( ' DC_USERNAME ' ) )
creds . set_password ( env_get_var_value ( ' DC_PASSWORD ' ) )
cls . ldb = SamDB ( host , credentials = creds ,
session_info = system_session ( lp ) , lp = lp )
cls . base_dn = cls . ldb . domain_dn ( )
cls . schema_dn = cls . ldb . get_schema_basedn ( ) . get_linearized ( )
2023-04-05 15:16:21 +12:00
cls . timestamp = str ( int ( time . time ( ) ) )
2023-04-13 11:30:26 +12:00
cls . domain_sid = cls . ldb . get_domain_sid ( )
2022-03-15 19:24:38 +13:00
def _test_sid_string_with_args ( self , code , expected_sid ) :
2023-04-05 15:20:57 +12:00
suffix = int ( blake2b ( code . encode ( ) , digest_size = 3 ) . hexdigest ( ) , 16 )
2022-03-15 19:24:38 +13:00
2023-04-05 15:20:57 +12:00
class_name = f ' my-Sid-String-Class- { self . timestamp } - { suffix } '
2022-03-15 19:24:38 +13:00
class_ldap_display_name = class_name . replace ( ' - ' , ' ' )
class_dn = f ' CN= { class_name } , { self . schema_dn } '
2023-11-15 13:03:27 +13:00
governs_id = f ' { self . timestamp [ - 7 : ] } . { suffix } '
2023-04-05 16:05:59 +12:00
# expected_sid can be a SID string, an error code, None, or a
# special value indicating a deferred error, as follows:
# * a number represents the expected error code at the *first*
# hurdle, creating the classSchema object.
# * late_ERR_CONSTRAINT_VIOLATION means an error when
# creating an object based on the class schema.
# * None means a somewhat unspecified error or failure to set
# the object owner sid.
# * a string is the expected owner sid. The rid is borrowed
# * and tacked onto the governs-id.
if expected_sid is None :
expected_err = ldb . ERR_UNWILLING_TO_PERFORM
elif isinstance ( expected_sid , int ) :
expected_err = expected_sid
elif expected_sid is late_ERR_CONSTRAINT_VIOLATION :
expected_err = None
else :
expected_err = None
2022-08-25 20:21:01 +12:00
# Append the RID to our OID to ensure more uniqueness.
rid = expected_sid . rsplit ( ' - ' , 1 ) [ 1 ]
governs_id + = f ' . { rid } '
2022-03-15 19:24:38 +13:00
ldif = f '''
dn : { class_dn }
objectClass : classSchema
cn : { class_name }
2022-08-25 20:21:01 +12:00
governsId : { governs_id }
2022-03-15 19:24:38 +13:00
subClassOf : top
possSuperiors : domainDNS
defaultSecurityDescriptor : O : { code }
try :
self . ldb . add_ldif ( ldif )
except ldb . LdbError as err :
num , _ = err . args
2023-04-05 16:05:59 +12:00
self . assertEqual ( num , expected_err )
2022-03-15 19:24:38 +13:00
2023-04-05 16:05:59 +12:00
else :
if isinstance ( expected_sid , int ) :
self . fail ( " should have failed " )
2022-03-15 19:24:38 +13:00
# Search for created objectclass
res = self . ldb . search ( class_dn , scope = ldb . SCOPE_BASE ,
attrs = [ ' defaultSecurityDescriptor ' ] )
self . assertEqual ( 1 , len ( res ) )
self . assertEqual ( res [ 0 ] . get ( ' defaultSecurityDescriptor ' , idx = 0 ) ,
f ' O: { code } ' . encode ( ' utf-8 ' ) )
ldif = '''
dn :
changetype : modify
add : schemaUpdateNow
schemaUpdateNow : 1
self . ldb . modify_ldif ( ldif )
2023-04-05 15:20:57 +12:00
object_name = f ' sddl_ { self . timestamp } _ { suffix } '
2022-03-15 19:24:38 +13:00
object_dn = f ' CN= { object_name } , { self . base_dn } '
ldif = f '''
dn : { object_dn }
objectClass : { class_ldap_display_name }
cn : { object_name }
2023-04-05 16:05:59 +12:00
if expected_sid is late_ERR_CONSTRAINT_VIOLATION :
expected_err = ldb . ERR_CONSTRAINT_VIOLATION
try :
self . ldb . add_ldif ( ldif )
except ldb . LdbError as err :
num , _ = err . args
self . assertEqual ( num , expected_err )
if expected_sid is not None :
self . assertIsNone ( expected_err )
2022-03-15 19:24:38 +13:00
# Search for created object
res = self . ldb . search ( object_dn , scope = ldb . SCOPE_BASE ,
attrs = [ ' nTSecurityDescriptor ' ] )
self . assertEqual ( 1 , len ( res ) )
# Delete the object
delete_force ( self . ldb , object_dn )
data = res [ 0 ] . get ( ' nTSecurityDescriptor ' , idx = 0 )
descriptor = ndr_unpack ( security . descriptor , data )
2023-04-13 11:30:26 +12:00
expected_sid = self . format_expected_sid ( expected_sid )
owner_sid = str ( descriptor . owner_sid )
self . assertEqual ( expected_sid , owner_sid )
2022-03-15 19:24:38 +13:00
2023-04-13 11:30:26 +12:00
def format_expected_sid ( self , expected_sid ) :
2022-03-15 19:24:38 +13:00
if expected_sid is None :
2023-04-13 11:30:26 +12:00
return f ' { self . domain_sid } - { security . DOMAIN_RID_ADMINS } '
2022-03-15 19:24:38 +13:00
2023-04-13 11:30:26 +12:00
if not isinstance ( expected_sid , str ) :
# never going to match, should have failed already
return None
2022-03-15 19:24:38 +13:00
2023-04-13 11:30:26 +12:00
return expected_sid . format ( domain_sid = self . domain_sid )
2022-03-15 19:24:38 +13:00
2023-04-13 11:47:19 +12:00
def _test_sid_string_internal_with_args ( self , code , expected_sid ) :
""" We just want to test the SIDs, which Samba can ' t really do because
it doesn ' t parse them until creating an object using the
schema class , at which time it doesn ' t distinguish between a
missing value and a nonsense value .
So let ' s also run the test using libcli/security/sddl.c and
see what we * would * have done .
sddl = f " O: { code } "
domsid = security . dom_sid ( self . domain_sid )
try :
sd = security . descriptor . from_sddl ( sddl , domsid )
2023-10-27 13:20:33 +13:00
except ( ValueError , security . SDDLValueError ) :
2023-04-13 11:47:19 +12:00
# we don't have detail as to what went wrong
self . assertNotIsInstance ( expected_sid , str )
else :
expected_sid = self . format_expected_sid ( expected_sid )
self . assertEqual ( expected_sid , str ( sd . owner_sid ) )
2023-04-05 17:20:46 +12:00
class SidStringTests ( SidStringBase ) :
2023-04-05 15:39:24 +12:00
""" Testing two letter aliases. """
2022-03-15 19:24:38 +13:00
cases = {
' AA ' : ' S-1-5-32-579 ' ,
' AC ' : ' S-1-15-2-1 ' ,
' AN ' : ' S-1-5-7 ' ,
' AO ' : ' S-1-5-32-548 ' ,
' AP ' : ' {domain_sid} -525 ' ,
' AS ' : ' S-1-18-1 ' ,
' AU ' : ' S-1-5-11 ' ,
' BA ' : ' S-1-5-32-544 ' ,
' BG ' : ' S-1-5-32-546 ' ,
' BO ' : ' S-1-5-32-551 ' ,
' BU ' : ' S-1-5-32-545 ' ,
' CA ' : ' {domain_sid} -517 ' ,
' CD ' : ' S-1-5-32-574 ' ,
' CG ' : ' S-1-3-1 ' ,
' CN ' : ' {domain_sid} -522 ' ,
' CO ' : ' S-1-3-0 ' ,
' CY ' : ' S-1-5-32-569 ' ,
' DC ' : ' {domain_sid} -515 ' ,
' DD ' : ' {domain_sid} -516 ' ,
' DG ' : ' {domain_sid} -514 ' ,
' DU ' : ' {domain_sid} -513 ' ,
' EA ' : ' {domain_sid} -519 ' ,
' ED ' : ' S-1-5-9 ' ,
' EK ' : ' {domain_sid} -527 ' ,
' ER ' : ' S-1-5-32-573 ' ,
' ES ' : ' S-1-5-32-576 ' ,
' HA ' : ' S-1-5-32-578 ' ,
' HI ' : ' S-1-16-12288 ' ,
' IS ' : ' S-1-5-32-568 ' ,
' IU ' : ' S-1-5-4 ' ,
' KA ' : ' {domain_sid} -526 ' ,
' LA ' : ' {domain_sid} -500 ' ,
' LG ' : ' {domain_sid} -501 ' ,
' LS ' : ' S-1-5-19 ' ,
' LU ' : ' S-1-5-32-559 ' ,
' LW ' : ' S-1-16-4096 ' ,
' ME ' : ' S-1-16-8192 ' ,
' MP ' : ' S-1-16-8448 ' ,
' MS ' : ' S-1-5-32-577 ' ,
' MU ' : ' S-1-5-32-558 ' ,
' NO ' : ' S-1-5-32-556 ' ,
' NS ' : ' S-1-5-20 ' ,
' NU ' : ' S-1-5-2 ' ,
' OW ' : ' S-1-3-4 ' ,
' PA ' : ' {domain_sid} -520 ' ,
' PO ' : ' S-1-5-32-550 ' ,
' PS ' : ' S-1-5-10 ' ,
' PU ' : ' S-1-5-32-547 ' ,
' RA ' : ' S-1-5-32-575 ' ,
' RC ' : ' S-1-5-12 ' ,
' RD ' : ' S-1-5-32-555 ' ,
' RE ' : ' S-1-5-32-552 ' ,
' RM ' : ' S-1-5-32-580 ' ,
' RO ' : ' {domain_sid} -498 ' ,
' RS ' : ' {domain_sid} -553 ' ,
' RU ' : ' S-1-5-32-554 ' ,
' SA ' : ' {domain_sid} -518 ' ,
' SI ' : ' S-1-16-16384 ' ,
' SO ' : ' S-1-5-32-549 ' ,
' SS ' : ' S-1-18-2 ' ,
' SU ' : ' S-1-5-6 ' ,
' SY ' : ' S-1-5-18 ' ,
# Not tested, as it always gives us an OPERATIONS_ERROR with Windows.
# 'UD': 'S-1-5-84-0-0-0-0-0',
' WD ' : ' S-1-1-0 ' ,
' WR ' : ' S-1-5-33 ' ,
' aa ' : ' S-1-5-32-579 ' ,
' Aa ' : ' S-1-5-32-579 ' ,
' aA ' : ' S-1-5-32-579 ' ,
' BR ' : None ,
' IF ' : None ,
' LK ' : None ,
2023-04-05 15:39:24 +12:00
class SidStringsThatStartWithS ( SidStringBase ) :
""" Testing normal or normal-adjacent SIDs """
cases = {
# testing explicit string to string round trips.
' S-1-5-32-579 ' : ' S-1-5-32-579 ' ,
' S-1-5-0x20-579 ' : ' S-1-5-32-579 ' , # hex
' S-1-0x05-32-579 ' : ' S-1-5-32-579 ' ,
' S-1-5-040-579 ' : ' S-1-5-40-579 ' , # no octal
' S-1-0x50000000-32-579 ' : ' S-1-1342177280-32-579 ' ,
' S-1-0x500000000-32-579 ' : ' S-1-0x500000000-32-579 ' ,
' S-1-21474836480-32-579 ' : ' S-1-0x500000000-32-579 ' , # >32 bit is hex
f ' S-1-5- { ( 1 << 32 ) - 1 } -579 ' : ' S-1-5-4294967295-579 ' ,
f ' S-1- { ( 1 << 48 ) - 1 } -579 ' : ' S-1-0xffffffffffff-579 ' ,
f ' S-1- { ( 1 << 48 ) } -579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-99999999999999999999999999999999999999-32-11111111111 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-5-0-579 ' : ' S-1-5-0-579 ' ,
' S-1-0-0-579 ' : ' S-1-0-0-579 ' ,
' S-1-0x5-0x20-0x243 ' : ' S-1-5-32-579 ' ,
' S-1-5-32--579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-5-32- 579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-5-32 -579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-5-3 2-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-1-1-1-1-1-1 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
# go to lower case in hex.
' S-1-0xABcDef123-0xABCDef-579 ' : ' S-1-0xabcdef123-11259375-579 ' ,
' S-1-1-1-1-1-1-1 ' : ' S-1-1-1-1-1-1-1 ' ,
' s-1-5-32-579 ' : ' S-1-5-32-579 ' ,
' S-01-5-32-579 ' : ' S-1-5-32-579 ' ,
' S-000000001-5-32-579 ' : ' S-1-5-32-579 ' ,
# some strings from https://bugzilla.samba.org/show_bug.cgi?id=14213
' S-1-0 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-22 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-22-1 ' : ' S-1-22-1 ' ,
' S-1-22-1-0 ' : ' S-1-22-1-0 ' ,
' S-1-3-0 ' : ' S-1-3-0 ' ,
' S-1-3-99 ' : ' S-1-3-99 ' ,
' S-01-05-020-0243 ' : ' S-1-5-20-243 ' ,
' S-000000000001-5-20-243 ' : ' S-1-5-20-243 ' ,
' S-1-000000000000000005-20-243 ' : ' S-1-5-20-243 ' ,
' S-1-5-20-00000000000243 ' : ' S-1-5-20-243 ' ,
2023-04-12 13:31:40 +12:00
class SidStringBehavioursThatWindowsAllows ( SidStringBase ) :
""" Windows interpretations that we probably don ' t want to follow """
cases = {
# saturating sub-auth values at 32 bits
' S-1-5-9999999999-579 ' : ' S-1-5-4294967295-579 ' ,
' S-1-0x500000000-0x500000000-579 ' : ' S-1-0x500000000-4294967295-579 ' ,
' S-1-5-11111111111111111111111111111111111-579 ' : ' S-1-5-4294967295-579 ' ,
f ' S-1-5- { ( 1 << 64 ) - 1 } -579 ' : ' S-1-5-4294967295-579 ' ,
f ' S-1-5- { 1 << 64 } -579 ' : ' S-1-5-4294967295-579 ' ,
# S-0x1- ?! on Windows this makes everything else a hex number.
' S-0x1-5-40-579 ' : ' S-1-5-64-1401 ' ,
' S-0x1-0-0-579 ' : ' S-1-0-0-1401 ' ,
' S-0x1-500000000-20-243 ' : ' S-1-0x500000000-32-579 ' ,
' S-0x1-5-20-243 ' : ' S-1-5-32-579 ' ,
' S-0x1-0x5-020-0243 ' : ' S-1-5-32-579 ' ,
' S-1-0xABcDef123-0xABCDef123-579 ' : ' S-1-0xabcdef123-4294967295-579 ' ,
' S-0-5-32-579 ' : late_ERR_CONSTRAINT_VIOLATION ,
' S-2-5-32-579 ' : late_ERR_CONSTRAINT_VIOLATION ,
' S-10-5-32-579 ' : late_ERR_CONSTRAINT_VIOLATION ,
class SidStringBehavioursThatSambaPrefers ( SidStringBase ) :
""" Aspirational alternative answers to the
SidStringBehavioursThatWindowsAllows cases . """
cases = {
' S-1-5-9999999999-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-0x500000000-0x500000000-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-5-11111111111111111111111111111111111-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
f ' S-1-5- { ( 1 << 64 ) - 1 } -579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
f ' S-1-5- { 1 << 64 } -579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-0x1-5-40-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-0x1-0-0-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-0x1-500000000-20-243 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-0x1-5-20-243 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-0x1-0x5-020-0243 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-1-0xABcDef123-0xABCDef123-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-0-5-32-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-2-5-32-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
' S-10-5-32-579 ' : ldb . ERR_UNWILLING_TO_PERFORM ,
2023-04-13 11:21:38 +12:00
class SidStringsAsDnInSearchBase ( SidStringBase ) :
""" How does a bad <SID=x> dn work as a search base, if at all?
This suggests that Windows does the SID parsing
( INVALID_DN_SYNTAX ) before starting the search ( NO_SUCH_OBJECT ) .
Currently Samba does not .
skip_local = True
cases = { ' S-1-1-1-1-1-1-1 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-0-5-32-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-000000000001-5-20-243 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-000000001-5-32-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-01-05-020-0243 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-01-5-32-11579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-0x1-0-0-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-0x1-0x5-020-0243 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-0x1-5-20-243 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-0x1-5-40-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-0x1-500000000-20-243 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-0 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-0-0-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-0x05-32-11579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-0x5-0x20-0x243 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-0x50000000-32-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-0x500000000-0x500000000-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-0x500000000-32-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-0xABcDef123-0xABCDef123-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-1-1-1-1-1-1 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-21474836480-32-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-22 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-22-1 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-22-1-0 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-281474976710655-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-281474976710656-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-3-0 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-3-99 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-5-0-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-5-040-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-5-0x20-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-5-11111111111111111111111111111111111-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-5-18446744073709551615-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-5-18446744073709551616-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-5-3 2-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-5-32 -11111579 ' : None ,
' S-1-5-32- 579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-5-32--579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-5-32-11579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-5-4294967295-579 ' : ldb . ERR_NO_SUCH_OBJECT ,
' S-1-5-9999999999-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-1-99999999999999999999999999999999999999-32-11111111111 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-10-5-32-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' S-2-5-32-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
' s-1-5-32-579 ' : ldb . ERR_INVALID_DN_SYNTAX ,
def _test_sid_string_with_args ( self , code , expected ) :
try :
self . ldb . search ( base = f " <SID= { code } > " ,
scope = ldb . SCOPE_BASE ,
attrs = [ ] )
except ldb . LdbError as e :
self . assertEqual ( e . args [ 0 ] , expected )
else :
self . assertIsNone ( expected )
2023-04-13 12:11:48 +12:00
class SidStringsAsDnSearchWithDnObject ( SidStringBase ) :
""" How does a bad <SID=x> dn work as a search base, if at all?
This time we parse the DN in ldb first .
skip_local = True
cases = { ' S-1-1-1-1-1-1-1 ' : ( ' parse error ' , None ) ,
' S-0-5-32-579 ' : ( None , ldb . ERR_INVALID_DN_SYNTAX ) ,
' S-000000000001-5-20-243 ' : ( ' parse error ' , None ) ,
' S-000000001-5-32-579 ' : ( ' parse error ' , None ) ,
' S-01-05-020-0243 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-0x1-0-0-579 ' : ( ' parse error ' , None ) ,
' S-0x1-0x5-020-0243 ' : ( ' parse error ' , None ) ,
' S-0x1-5-20-243 ' : ( ' parse error ' , None ) ,
' S-0x1-5-40-579 ' : ( ' parse error ' , None ) ,
' S-0x1-500000000-20-243 ' : ( ' parse error ' , None ) ,
' S-1-0 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-0-0-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-0x05-32-579 ' : ( None , None ) ,
' S-1-0x5-0x20-0x243 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-0x50000000-32-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-0x500000000-0x500000000-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-0x500000000-32-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-0xABcDef123-0xABCDef123-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-1-1-1-1-1-1 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-21474836480-32-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-22 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-22-1 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-22-1-0 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-281474976710655-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-281474976710656-579 ' : ( ' parse error ' , None ) ,
' S-1-3-0 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-3-99 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-5-0-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-5-040-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-5-0x20-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-5-11111111111111111111111111111111111-579 ' : ( ' parse error ' , None ) ,
' S-1-5-18446744073709551615-579 ' : ( ' parse error ' , None ) ,
' S-1-5-18446744073709551616-579 ' : ( ' parse error ' , None ) ,
' S-1-5-3 2-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-5-32- 579 ' : ( ' parse error ' , None ) ,
' S-1-5-32--579 ' : ( ' parse error ' , None ) ,
' S-1-5-4294967295-579 ' : ( None , ldb . ERR_NO_SUCH_OBJECT ) ,
' S-1-5-9999999999-579 ' : ( ' parse error ' , None ) ,
' S-1-99999999999999999999999999999999999999-32-11111111111 ' : ( ' parse error ' ,
None ) ,
' S-10-5-32-579 ' : ( None , ldb . ERR_INVALID_DN_SYNTAX ) ,
' S-2-5-32-579 ' : ( None , ldb . ERR_INVALID_DN_SYNTAX ) ,
' s-1-5-32-579 ' : ( ' parse error ' , None ) ,
def _test_sid_string_with_args ( self , code , expected ) :
dn_err , search_err = expected
dn_str = f " <SID= { code } > "
try :
dn = ldb . Dn ( self . ldb , dn_str )
except ValueError :
self . assertEqual ( dn_err , ' parse error ' )
except ldb . LdbError as e :
self . assertEqual ( dn_err , e . args [ 0 ] )
self . assertIsNone ( dn_err )
try :
self . ldb . search ( dn , scope = ldb . SCOPE_BASE , attrs = [ ' * ' ] )
except ldb . LdbError as e :
self . assertEqual ( search_err , e . args [ 0 ] )
self . assertIsNone ( search_err )
2023-04-13 12:13:26 +12:00
class SidStringsAsDnInSearchFilter ( SidStringBase ) :
2023-10-02 15:07:03 +13:00
""" How does a bad <SID=x> dn work in a search filter?
2023-04-13 12:13:26 +12:00
Answer : on Windows it always works .
skip_local = True
cases = { }
cases . update ( SidStringTests . cases )
cases . update ( SidStringsThatStartWithS . cases )
cases . update ( SidStringBehavioursThatSambaPrefers . cases )
def _test_sid_string_with_args ( self , code , _dummy ) :
basedn = self . ldb . get_default_basedn ( )
try :
self . ldb . search ( base = basedn ,
scope = ldb . SCOPE_ONELEVEL ,
2023-10-02 15:07:16 +13:00
expression = f " (distinguishedName=<SID= { code } >) " )
2023-04-13 12:13:26 +12:00
except ldb . LdbError as e :
self . fail ( f " expected no failure, got { e } " )
2023-04-13 12:17:28 +12:00
class SidStringsForSimpleBind ( SidStringBase ) :
""" Check whether dodgy SID strings work differently for simple-bind.
One of the many fallbacks for ldap simple bind is SID strings . We
just want to ensure that SIDs that might fail strangely in SID
parsing don ' t leak that strangeness (they don ' t ) .
skip_local = True
# here we are testing only the SID-like SIDs ("S-1-...", not "AA")
cases = { }
cases . update ( SidStringsThatStartWithS . cases )
cases . update ( SidStringBehavioursThatSambaPrefers . cases )
def setUpClass ( cls ) :
super ( ) . setUpClass ( )
server = os . environ [ ' DC_SERVER ' ]
cls . lp = param . LoadParm ( )
cls . host = f ' ldap:// { server } '
def _test_sid_string_with_args ( self , code , _dummy ) :
bind_creds = Credentials ( )
bind_creds . set_username ( code )
bind_creds . set_password ( " please " )
try :
SamDB ( url = self . host ,
lp = self . lp ,
credentials = bind_creds )
self . fail ( f " { code } seems to have connected properly " )
except ldb . LdbError as e :
num , msg = e . args
self . assertIn ( " NT_STATUS_INVALID_PARAMETER " , msg )
2022-03-15 19:24:38 +13:00
if __name__ == ' __main__ ' :
global_asn1_print = False
global_hexdump = False
import unittest
unittest . main ( )